Bug 170924 - ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
Summary: ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Mac macOS 10.12
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-04-17 16:06 PDT by Daniel Bates
Modified: 2017-04-26 19:28 PDT (History)
15 users (show)

See Also:

Attachments
Test case (44 bytes, text/html)
2017-04-19 16:15 PDT, Daniel Bates 		no flags Details
patch (7.43 KB, patch)
2017-04-25 19:19 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
patch (7.44 KB, patch)
2017-04-25 19:20 PDT, Saam Barati 		mark.lam: review+
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews101 for mac-elcapitan (964.97 KB, application/zip)
2017-04-25 20:10 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (1.04 MB, application/zip)
2017-04-25 20:19 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (15.44 MB, application/zip)
2017-04-25 21:00 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews112 for mac-elcapitan (1.60 MB, application/zip)
2017-04-25 21:55 PDT, Build Bot 		no flags Details
patch for landing (15.07 KB, patch)
2017-04-26 14:56 PDT, Saam Barati 		buildbot: commit-queue-
Details | Formatted Diff | Diff
patch for landing (15.96 KB, patch)
2017-04-26 16:07 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2017-04-17 16:06:26 PDT 
1. Create a page xss.php with the following markup that can be served from an HTTP server:

<script>var q="<?php echo $_GET['q']; ?>"</script>

2. Access the page at <http://127.0.0.1/xss.php?q=%22i\u006E+alert(1)//>, modifying the URL as needed to access xss.php.

Then the WebProcess will crash because the assertion RELEASE_ASSERT(inIndex != notFound) fails in JSC::invalidParameterInSourceAppender().

I am using a local build of Mac WebKit at r215419.
Comment 1 Daniel Bates 2017-04-17 16:34:28 PDT 
ASSERTION FAILED: inIndex != notFound
/Volumes/Data/WebKitDevGit/OpenSource/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp(208) : WTF::String JSC::invalidParameterInSourceAppender(const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred)
1   0x109b6a00d WTFCrash
2   0x1091ef117 JSC::invalidParameterInSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)
3   0x1091e6f65 JSC::appendSourceToError(JSC::ExecState*, JSC::ErrorInstance*, unsigned int)
4   0x1091e6c9e JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool)
5   0x1091e1efa JSC::ErrorInstance::create(JSC::ExecState*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool)
6   0x1091e242a JSC::createTypeError(JSC::ExecState*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType)
7   0x1091eed6b JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
8   0x1091eefce JSC::createInvalidInParameterError(JSC::ExecState*, JSC::JSValue)
9   0x108ccb710 JSC::CommonSlowPaths::opIn(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ArrayProfile*)
10  0x108ccb549 slow_path_in
11  0x1096ced82 llint_entry
12  0x1096c86fe vmEntryToJavaScript
13  0x10949e89e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
14  0x10945009f JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
15  0x108cdb028 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
16  0x108cdb1f0 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
17  0x110243e1b WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
18  0x110243c08 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*)
19  0x110243efd WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*)
20  0x110259b42 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
21  0x110257f8f WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
22  0x10e9dba60 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)
23  0x10e9db8cf WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&)
24  0x10e902b72 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()
25  0x10e9030d3 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
26  0x10e901e18 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
27  0x10e90196b WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
28  0x10e9043da WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
29  0x10e2dec22 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long)
30  0x10e424b79 WebCore::DocumentWriter::addData(char const*, unsigned long)
31  0x10e3d866f WebCore::DocumentLoader::commitData(char const*, unsigned long)
Comment 2 Daniel Bates 2017-04-19 16:15:55 PDT 
Created attachment 307519 [details]
Test case

For convenience, attached test case that represents the rendered output of the web page shown by following the reproduction steps.
Comment 3 Radar WebKit Bug Importer 2017-04-19 16:53:04 PDT 
<rdar://problem/31721052>
Comment 4 Saam Barati 2017-04-19 17:15:49 PDT 
This is a silly bug. And should be an easy fix. The code I wrote searches for the string "in", however, we parse various Unicode characters as "n". So the test program is parsed as an "in" expression, but we don't find the string "in" (obviously, because the source does not have the character "n" in it)
Comment 5 Saam Barati 2017-04-25 19:19:41 PDT 
Created attachment 308190 [details]
patch
Comment 6 Saam Barati 2017-04-25 19:20:47 PDT 
Created attachment 308191 [details]
patch
Comment 7 Build Bot 2017-04-25 19:59:02 PDT 
Comment on attachment 308191 [details]
patch

Attachment 308191 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/3606661

New failing tests:
stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-no-cjit
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate
stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously
stress/destructuring-assignment-accepts-iterables.js.no-ftl
stress/destructuring-assignment-accepts-iterables.js.no-llint
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-llint
stress/destructuring-assignment-accepts-iterables.js.dfg-eager
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-eager-no-cjit
stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-ftl
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-dfg-eager-no-cjit
stress/destructuring-assignment-accepts-iterables.js.default
stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit
stress/destructuring-assignment-accepts-iterables.js.ftl-eager
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1
jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-cjit
stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler
stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases
Comment 8 Mark Lam 2017-04-25 20:00:13 PDT 
Comment on attachment 308191 [details]
patch

LGTM.  Please fix EWS issues.
Comment 9 Build Bot 2017-04-25 20:10:37 PDT 
Comment on attachment 308191 [details]
patch

Attachment 308191 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3606743

New failing tests:
imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html
js/let-syntax.html
imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html
imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Comment 10 Build Bot 2017-04-25 20:10:38 PDT 
Created attachment 308195 [details]
Archive of layout-test-results from ews101 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 11 Build Bot 2017-04-25 20:19:36 PDT 
Comment on attachment 308191 [details]
patch

Attachment 308191 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3606771

New failing tests:
imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html
js/let-syntax.html
imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html
imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Comment 12 Build Bot 2017-04-25 20:19:38 PDT 
Created attachment 308197 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 13 Build Bot 2017-04-25 21:00:32 PDT 
Comment on attachment 308191 [details]
patch

Attachment 308191 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3606854

New failing tests:
imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html
js/let-syntax.html
imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html
imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Comment 14 Build Bot 2017-04-25 21:00:34 PDT 
Created attachment 308206 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 15 Build Bot 2017-04-25 21:55:32 PDT 
Comment on attachment 308191 [details]
patch

Attachment 308191 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3607284

New failing tests:
imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html
js/let-syntax.html
imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html
imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Comment 16 Build Bot 2017-04-25 21:55:33 PDT 
Created attachment 308212 [details]
Archive of layout-test-results from ews112 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 17 Saam Barati 2017-04-26 12:41:52 PDT 
Will rebaseline the failing tests.
Comment 18 Saam Barati 2017-04-26 14:56:47 PDT 
Created attachment 308289 [details]
patch for landing
Comment 19 Build Bot 2017-04-26 15:34:26 PDT 
Comment on attachment 308289 [details]
patch for landing

Attachment 308289 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/3613184

New failing tests:
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate
stress/destructuring-assignment-accepts-iterables.js.dfg-eager
stress/destructuring-assignment-accepts-iterables.js.ftl-eager
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1
stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1
stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously
stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate
stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate
stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit
stress/destructuring-assignment-accepts-iterables.js.no-ftl
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler
stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases
stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool
stress/destructuring-assignment-accepts-iterables.js.default
stress/destructuring-assignment-accepts-iterables.js.no-llint
Comment 20 Saam Barati 2017-04-26 16:07:09 PDT 
Created attachment 308300 [details]
patch for landing

edited some more error messages
Comment 21 WebKit Commit Bot 2017-04-26 19:28:42 PDT 
Comment on attachment 308300 [details]
patch for landing

Clearing flags on attachment: 308300

Committed r215852: <http://trac.webkit.org/changeset/215852>
Comment 22 WebKit Commit Bot 2017-04-26 19:28:45 PDT 
All reviewed patches have been landed.  Closing bug.